Search in sources :

Example 1 with GetSessionTokenResult

use of com.amazonaws.services.securitytoken.model.GetSessionTokenResult in project hadoop by apache.

the class ITestS3ATemporaryCredentials method testSTS.

/**
   * Test use of STS for requesting temporary credentials.
   *
   * The property test.sts.endpoint can be set to point this at different
   * STS endpoints. This test will use the AWS credentials (if provided) for
   * S3A tests to request temporary credentials, then attempt to use those
   * credentials instead.
   *
   * @throws IOException
   */
@Test
public void testSTS() throws IOException {
    Configuration conf = getContract().getConf();
    if (!conf.getBoolean(TEST_STS_ENABLED, true)) {
        skip("STS functional tests disabled");
    }
    S3xLoginHelper.Login login = S3AUtils.getAWSAccessKeys(URI.create("s3a://foobar"), conf);
    if (!login.hasLogin()) {
        skip("testSTS disabled because AWS credentials not configured");
    }
    AWSCredentialsProvider parentCredentials = new BasicAWSCredentialsProvider(login.getUser(), login.getPassword());
    String stsEndpoint = conf.getTrimmed(TEST_STS_ENDPOINT, "");
    AWSSecurityTokenServiceClient stsClient;
    stsClient = new AWSSecurityTokenServiceClient(parentCredentials);
    if (!stsEndpoint.isEmpty()) {
        LOG.debug("STS Endpoint ={}", stsEndpoint);
        stsClient.setEndpoint(stsEndpoint);
    }
    GetSessionTokenRequest sessionTokenRequest = new GetSessionTokenRequest();
    sessionTokenRequest.setDurationSeconds(900);
    GetSessionTokenResult sessionTokenResult;
    sessionTokenResult = stsClient.getSessionToken(sessionTokenRequest);
    Credentials sessionCreds = sessionTokenResult.getCredentials();
    String childAccessKey = sessionCreds.getAccessKeyId();
    conf.set(ACCESS_KEY, childAccessKey);
    String childSecretKey = sessionCreds.getSecretAccessKey();
    conf.set(SECRET_KEY, childSecretKey);
    String sessionToken = sessionCreds.getSessionToken();
    conf.set(SESSION_TOKEN, sessionToken);
    conf.set(AWS_CREDENTIALS_PROVIDER, PROVIDER_CLASS);
    try (S3AFileSystem fs = S3ATestUtils.createTestFileSystem(conf)) {
        createAndVerifyFile(fs, path("testSTS"), TEST_FILE_SIZE);
    }
    // now create an invalid set of credentials by changing the session
    // token
    conf.set(SESSION_TOKEN, "invalid-" + sessionToken);
    try (S3AFileSystem fs = S3ATestUtils.createTestFileSystem(conf)) {
        createAndVerifyFile(fs, path("testSTSInvalidToken"), TEST_FILE_SIZE);
        fail("Expected an access exception, but file access to " + fs.getUri() + " was allowed: " + fs);
    } catch (AWSS3IOException ex) {
        LOG.info("Expected Exception: {}", ex.toString());
        LOG.debug("Expected Exception: {}", ex, ex);
    }
}
Also used : Configuration(org.apache.hadoop.conf.Configuration) GetSessionTokenResult(com.amazonaws.services.securitytoken.model.GetSessionTokenResult) AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient) S3xLoginHelper(org.apache.hadoop.fs.s3native.S3xLoginHelper) GetSessionTokenRequest(com.amazonaws.services.securitytoken.model.GetSessionTokenRequest) AWSCredentialsProvider(com.amazonaws.auth.AWSCredentialsProvider) Credentials(com.amazonaws.services.securitytoken.model.Credentials) AWSCredentials(com.amazonaws.auth.AWSCredentials) Test(org.junit.Test)

Aggregations

AWSCredentials (com.amazonaws.auth.AWSCredentials)1 AWSCredentialsProvider (com.amazonaws.auth.AWSCredentialsProvider)1 AWSSecurityTokenServiceClient (com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)1 Credentials (com.amazonaws.services.securitytoken.model.Credentials)1 GetSessionTokenRequest (com.amazonaws.services.securitytoken.model.GetSessionTokenRequest)1 GetSessionTokenResult (com.amazonaws.services.securitytoken.model.GetSessionTokenResult)1 Configuration (org.apache.hadoop.conf.Configuration)1 S3xLoginHelper (org.apache.hadoop.fs.s3native.S3xLoginHelper)1 Test (org.junit.Test)1